PoshC2

PoshC2 is an open source remote administration and post-exploitation framework that is publicly available on GitHub. The server-side components of the tool are primarily written in Python, while the implants are written in PowerShell. Although PoshC2 is primarily focused on Windows implantation, it does contain a basic Python dropper for Linux/macOS.[1]

ID: S0378
Type: TOOL
Platforms: Windows, Linux, macOS

Version: 1.0

Techniques Used

DomainIDNameUse
EnterpriseT1134Access Token ManipulationPoshC2 contains a number of modules, such as Invoke-RunAs and Invoke-TokenManipulation, for manipulating tokens.[1]
EnterpriseT1087Account DiscoveryPoshC2 can enumerate local and domain user account information.[1]
EnterpriseT1119Automated CollectionPoshC2 contains a module for recursively parsing through files and directories to gather valid credit card numbers.[1]
EnterpriseT1110Brute ForcePoshC2 has modules for brute forcing local administrator and AD user accounts.[1]
EnterpriseT1088Bypass User Account ControlPoshC2 can utilize multiple methods to bypass UAC.[1]
EnterpriseT1090Connection ProxyPoshC2 contains modules that allow for use of proxies in command and control.[1]
EnterpriseT1003Credential DumpingPoshC2 contains an implementation of Mimikatz to gather credentials from memory.[1]
EnterpriseT1081Credentials in FilesPoshC2 contains modules for searching for passwords in local and remote files.[1]
EnterpriseT1002Data CompressedPoshC2 contains a module for compressing data using ZIP.[1]
EnterpriseT1482Domain Trust DiscoveryPoshC2 has modules for enumerating domain trusts.[1]
EnterpriseT1068Exploitation for Privilege EscalationPoshC2 contains modules for local privilege escalation exploits such as CVE-2016-9192 and CVE-2016-0099.[1]
EnterpriseT1210Exploitation of Remote ServicesPoshC2 contains a module for exploiting SMB via EternalBlue.[1]
EnterpriseT1083File and Directory DiscoveryPoshC2 can enumerate files on the local file system and includes a module for enumerating recently accessed files.[1]
EnterpriseT1056Input CapturePoshC2 has modules for keystroke logging and capturing credentials from spoofed Outlook authentication messages.[1]
EnterpriseT1171LLMNR/NBT-NS Poisoning and RelayPoshC2 can use Inveigh to conduct name service poisoning for credential theft and associated relay attacks.[1]
EnterpriseT1046Network Service ScanningPoshC2 can perform port scans from an infected host.[1]
EnterpriseT1040Network SniffingPoshC2 contains a module for taking packet captures on compromised hosts.[1]
EnterpriseT1075Pass the HashPoshC2 has a number of modules that leverage pass the hash for lateral movement.[1]
EnterpriseT1201Password Policy DiscoveryPoshC2 can use Get-PassPol to enumerate the domain password policy.[1]
EnterpriseT1069Permission Groups DiscoveryPoshC2 contains modules, such as Get-LocAdm for enumerating permission groups.[1]
EnterpriseT1055Process InjectionPoshC2 contains multiple modules for injecting into processes, such as Invoke-PSInject.[1]
EnterpriseT1035Service ExecutionPoshC2 contains an implementation of PsExec for remote execution.[1]
EnterpriseT1071Standard Application Layer ProtocolPoshC2 can use protocols like HTTP/HTTPS for command and control traffic.[1]
EnterpriseT1082System Information DiscoveryPoshC2 contains modules, such as Get-ComputerInfo, for enumerating common system information.[1]
EnterpriseT1016System Network Configuration DiscoveryPoshC2 can enumerate network adapter information.[1]
EnterpriseT1049System Network Connections DiscoveryPoshC2 contains an implementation of netstat to enumerate TCP and UDP connections.[1]
EnterpriseT1007System Service DiscoveryPoshC2 can enumerate service and service permission information.[1]
EnterpriseT1047Windows Management InstrumentationPoshC2 has a number of modules that use WMI to execute tasks.[1]
EnterpriseT1084Windows Management Instrumentation Event SubscriptionPoshC2 has the ability to persist on a system using WMI events.[1]

Groups

Groups that use this software:

APT33

References